Le dimanche 17 décembre 2006 à 20:51 -0600, Grant Taylor a écrit :
> I personally have known that using "-m state --state
> ESTABLISHED,RELATED" was not the most secure thing to use for returning
> traffic. Namely this will allow you to make a valid connection to a web
> server, say to retrieve a picture. Then said web server could send
> malicious traffic back to your computer and pass through your firewall.
> This is because the traffic coming from the web server to your
> computer is now deemed as RELATED.
How ? Afaik RELATED is used for two types of packets:
. ICMP errors matching previously seen IP flow
. First packet of expectations created through a helper
HTTP does not have any helper, this let ICMP goes through. Is it a
vuln ? I don't think so. However, remote server can refuse to close
connection and send further data using ESTABLISHED state. Well, how do
you prevent that from the firewall perspective ?
I must admit I quite don't see your point here. Can you elaborate a bit
please ? Thx.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
|